BodgeIt

https://code.google.com/archive/p/bodgeit/

The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.

Some of its features and characteristics: * Easy to install – just requires java and a servlet engine, e.g. Tomcat * Self contained (no additional dependencies other than to 2 in the above line) * Easy to change on the fly – all the functionality is implemented in JSPs, so no IDE required * Cross platform * Open source * No separate db to install and configure – it uses an ‘in memory’ db that is automatically (re)initialized on start up

All you need to do is download and open the zip file, and then extract the war file into the webapps directory of your favorite servlet engine.

Then point your browser at (for example) https://localhost:8080/bodgeit

You may find it easier to find vulnerabilities using a pen test tool.

If you dont have a favourite one, I’d recommend the Zed Attack Proxy (for which I’m the project lead).

The Bodge It Store include the following significant vulnerabilities: * Cross Site Scripting * SQL injection * Hidden (but unprotected) content * Cross Site Request Forgery * Debug code * Insecure Object References * Application logic vulnerabilities If you spot any others then let me know 😉

There is also a ‘scoring’ page (linked from the ‘About Us’ page) where you can see various hacking challenges and whether you have completed them or not.

Vulnerable Web Applications
BadStorehttps://www.badstore.net/
BodgeIt Storehttps://code.google.com/p/bodgeit/
Butterfly Security Projecthttps://thebutterflytmp.sourceforge.net/
bWAPPhttps://www.mmeit.be/bwapp/ 
https://sourceforge.net/projects/bwapp/files/bee-box/
Commixhttps://github.com/stasinopoulos/commix-testbed
CryptOMGhttps://github.com/SpiderLabs/CryptOMG
Damn Vulnerable Node Application (DVNA)https://github.com/quantumfoam/DVNA/
Damn Vulnerable Web App (DVWA)https://www.dvwa.co.uk/
Damn Vulnerable Web Services (DVWS)https://dvws.professionallyevil.com/
Drunk Admin Web Hacking Challengehttps://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/
Exploit KB Vulnerable Web Apphttps://exploit.co.il/projects/vuln-web-app/
Foundstone Hackme Bankhttps://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme Bookshttps://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme Casinohttps://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme Shippinghttps://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme Travelhttps://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
GameOverhttps://sourceforge.net/projects/null-gameover/
hackxorhttps://hackxor.sourceforge.net/cgi-bin/index.pl
Hackazonhttps://github.com/rapid7/hackazon
LAMPSecurityhttps://sourceforge.net/projects/lampsecurity/
Mothhttps://www.bonsai-sec.com/en/research/moth.php
NOWASP / Mutillidae 2https://sourceforge.net/projects/mutillidae/
OWASP BWAhttps://code.google.com/p/owaspbwa/
OWASP Hackademichttps://hackademic1.teilar.gr/
OWASP SiteGeneratorhttps://www.owasp.org/index.php/Owasp_SiteGenerator
OWASP Brickshttps://sourceforge.net/projects/owaspbricks/
OWASP Security Shepherdhttps://www.owasp.org/index.php/OWASP_Security_Shepherd
PentesterLabhttps://pentesterlab.com/
PHDays iBank CTFhttps://blog.phdays.com/2012/05/once-again-about-remote-banking.html
SecuriBenchhttps://suif.stanford.edu/~livshits/securibench/
SentinelTestbedhttps://github.com/dobin/SentinelTestbed
SocketToMehttps://digi.ninja/projects/sockettome.php
sqli-labshttps://github.com/Audi-1/sqli-labs
MCIR (Magical Code Injection Rainbow)https://github.com/SpiderLabs/MCIR
sqlilabshttps://github.com/himadriganguly/sqlilabs
VulnApphttps://www.nth-dimension.org.uk/blog.php?id=88
PuzzleMallhttps://code.google.com/p/puzzlemall/
WackoPickohttps://github.com/adamdoupe/WackoPicko
WAEDhttps://www.waed.info
WebGoat.NEThttps://github.com/jerryhoff/WebGoat.NET/
WebSecurity Dojohttps://www.mavensecurity.com/web_security_dojo/
XVWAhttps://github.com/s4n7h0/xvwa
Zap WAVEhttps://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip